February 15, 2018

Subscribe

Intel expands bug bounty to catch more Spectre-like security flaws

by John_A

To say Intel was caught flat-footed by the Meltdown and Spectre flaws would be an understatement. However, it has a potential solution: enlist more people for help. It’s widening its bug bounty program to both include more researchers and offer more incentives to spot Meltdown- and Spectre-like holes. The program is now open to all security researchers, not just by invitation, and includes sweeter rewards for discovering exploits. You now get up to $100,000 for disclosing general security flaws, and there’s a new program dedicated to side channel vulnerabilities (read: issues like Spectre) that offers up to $250,000 through December 31st, 2018.

The higher bounty stems in part from the complexity of demonstrating exploits. Unlike most purely software-driven attacks, the speculative execution tricks behind Meltdown and Spectre require extensive know-how.

The end date on the side channel bounty sets a firm limit on what the program will achieve, although Intel’s promise of more secure chips in 2018 could reduce the need to single out these sorts of attacks. The bug bounty program will continue to “evolve,” Intel added, so it’s not set in stone. There’s no question about what the chip giant wants, though: it’s racing to identify as many processor-related flaws as it can while its CPUs are known to be vulnerable and interest in the subject is high.